[Sigia-l] time-out session lengths, security, and user tasks
Christy Mylks
christy at cognetics.com
Mon Nov 11 19:41:49 EST 2002
Thanks.
Yes. There are good reasons for having a time-out period, given current
technology and server/DB processes, even though it's not ideal from a
user's POV. I suppose the gist of the question is, given that we're trying
to balance the reasons for session length and set the dial on the correct
number, it seems we have "marketing, task, and other reasons" vs. "server
drag" vs. "security reasons". Perhaps what we need is a good resource to
turn to for help in finding this balance. Any clue as to websites to check
for security and/or time-out related data?
As a note, we normally have no reason to doubt the technical team's
position on their security requirements, except: 1) they're fairly new to
the web and may need a nudge of guidance and 2) they may be setting greater
security than is required by the site contents because of their greater
role in protecting that data. (We'll naturally have to have a joint
discussion about this. )
-christy
At 06:16 PM 11/11/2002, Listera wrote:
>...edit...
>Now there's no technical reason why this "session" cannot be maintained
>indefinitely, even on a secure site. However, for reasons of security,
>workflow, mandated expiration, marketing, tracking, server workflow, etc.,
>the session is often expired after an 'appropriate' period, usually to be
>re-started at the next login.
>
>There's utterly and absolutely no "industry standard" for how long a session
>should be kept alive. There are many technical and non-technical reasons as
>to why one number may be better than another.
Christy Mylks, Usability Analysis and Design
Cognetics Corporation
<http://www.cognetics.com>http://www.cognetics.com
christy at cognetics.com
301-587-7549
More information about the Sigia-l
mailing list